Skip to main content
SVDY Logo
Trust center

/

Sub-processors

Sub-processors

Per GDPR Article 28(2), the third-party services svdy uses to process your data. Updated when our stack changes. Last review: 2026-05-24.

ProviderServiceRegionData accessed

Amazon Web Services

DPA / privacy →
Cloud hosting (compute, database, storage, CDN)us-east-1 (N. Virginia, USA)All customer data — workers, attendance entries, documents, logs

Stripe

DPA / privacy →
Payment processing for subscriptionsUnited States + EU (Stripe Atlas global)Billing contact, last 4 digits of card, charge history. NEVER full card data — Stripe-side tokenisation.

Amazon SES

DPA / privacy →
Transactional email (sign-up, password reset, alerts)us-east-1Recipient email address, message body. Subject to AWS DPA.

Expo (EAS)

DPA / privacy →
Mobile push notifications via APNs / FCMUnited StatesDevice push token (anonymous), notification body. No PII inside push payloads.

Cloudflare

DPA / privacy →
Authoritative DNS (svdy.com / qutime.com / pureoa.com)Global (anycast)DNS query metadata only. svdy uses Cloudflare DNS in grey-cloud mode — NOT proxied — so no customer payload traverses Cloudflare.

Update protocol

When we add or remove a sub-processor, we:

1. Update this page within 7 days of the change.

2. Email customers 30 days before the change takes effect, with the new processor's name + region + data scope.

3. Honour customer objections under your DPA — typically by ring-fencing your tenant from the affected processor.